Request for Applications: Security of Implementations of Post-Quantum Cryptography Algorithms

Scope

• The security of the implementations of PQC algorithms is vital for maintaining the confidentiality, integrity, authenticity and availability of digital information and communications in the face of implementation attacks, such as, for example, side-channel attacks using information from timing, power consumption, electromagnetic radiation, fault attacks disturbing the secure of operation of the device and their combination. Such attacks, eventually also enhanced by the use of deep learning, constitute significant threats to both (embedded and regular) software and hardware implementations. In various application areas such as IoT, cloud-based applications, automotive, measures to prevent such attacks currently lead to substantial resource overhead due to the complexity of the algorithms, and the security remains unclear given the limited exploration of different attack surfaces. Countermeasures, to the extent that they are available, may have significant impact on run-time and memory consumption. Resistance in PQC implementations to implementation attacks is an increasingly common concern among customers, especially when exploring the right balance between security and performance.
• Evaluating the security of PQC algorithm implementations against side-channel and fault attacks is crucial, given the proven vulnerabilities. Various countermeasures, such as masking, shuffling, randomized clocking, random delay insertion, constant weight encoding, code polymorphism, control-flow integrity and re-computation of critical operations can be employed to mitigate these attacks. Synergies between specific countermeasures and the design of cryptographic systems are available for pre-quantum cryptography but require investigation for post-quantum cryptography.
• Proposals are welcome on developing solutions that protect against such implementation attacks, at reasonable costs and minimizing the loss of performance while maintaining the required security, as well as on the analysis of new attacks or combinations of attacks, also powered by the use of AI, for security-by-design approaches when designing Post Quantum Cryptographic systems. Activities can also lead to the development of testing methodologies and frameworks for automated security evaluations for correctness and resistance to remote side-channel attacks for regular software and for correctness and resistance to a broad range of implementation attacks for embedded software and hardware.

Funding Information

• Budget (EUR) – Year 2025: 6 000 000
• Contributions: 2000000 to 3000000

Expected Impacts

• Support the EU’s technological capabilities by investing in cybersecurity research and innovation to further strengthen its leadership, strategic autonomy, digital sovereignty and resilience;
• Help protect its infrastructures and improve its ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from cyber and hybrid incidents, especially given the current context of geopolitical change;
• Support European competitiveness in cybersecurity and European strategic autonomy, by protecting EU products and digital supply chains, as well as critical EU services and infrastructures (both physical and digital) to ensure their robustness and continuity in the face of severe disruptions;
• Encourage the development of the European Cybersecurity Competence Community;
• Particular attention will be given to SMEs, who play a crucial role in the cybersecurity ecosystem and in overall EU digital single market competitiveness, by promoting security and privacy ‘by design’ in existing and emerging technologies.

Expected Outcomes

• Projects’ results are expected to contribute to some or all of the following outcomes:
  • Design and implementations of Post-Quantum Cryptography (PQC) algorithms that are resistant to side-channel and fault attacks;
  • Optimized countermeasures taking into account a balanced trade-off between security, performance, and costs;
  • Recommendations on implementing countermeasures for a broad range of attacks, also identifying the available and necessary hardware;
  • Analysis of new attacks or combinations of attacks, also eventually enhanced by AI, applicable to real-world conditions.
  • Design of automated security evaluations for PQC implementations.

Eligibility Criteria

• Entities eligible to participate:
  • Any legal entity, regardless of its place of establishment, including legal entities from nonassociated third countries or international organisations (including international European research organisations) is eligible to participate (whether it is eligible for funding or not), provided that the conditions laid down in the Horizon Europe Regulation have been met, along with any other conditions laid down in the specific call/topic.
  • A ‘legal entity’ means any natural or legal person created and recognised as such under national law, EU law or international law, which has legal personality and which may, acting in its own name, exercise rights and be subject to obligations, or an entity without legal personality.
• To become a beneficiary, legal entities must be eligible for funding.
• To be eligible for funding, applicants must be established in one of the following countries:
  • the Member States of the European Union, including their outermost regions:
    • Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
  • the Overseas Countries and Territories (OCTs) linked to the Member States:
    • Aruba (NL), Bonaire (NL), Curação (NL), French Polynesia (FR), French Southern and Antarctic Territories (FR), Greenland (DK), New Caledonia (FR), Saba (NL), Saint Barthélemy (FR), Sint Eustatius (NL), Sint Maarten (NL), St. Pierre and Miquelon (FR), Wallis and Futuna Islands (FR).
  • countries associated to Horizon Europe;
    • Albania, Armenia, Bosnia and Herzegovina, Canada, Faroe Islands, Georgia, Iceland, Israel, Kosovo, Moldova, Montenegro, New Zealand, North Macedonia, Norway, Serbia, Tunisia, Türkiye, Ukraine, United Kingdom.

For more information, visit EC.